diff options
author | Lauris BH <lauris@nix.lv> | 2020-03-05 08:30:33 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-05 08:30:33 +0200 |
commit | 37c3db7be6dd6fc5ee085979cc5f5dda09d978c3 (patch) | |
tree | f77e1d61daaee11f6aab8e491120620e597c2782 /modules/auth | |
parent | be544e8e6a78360d87315ada9695cc6d70c3617c (diff) | |
download | gitea-37c3db7be6dd6fc5ee085979cc5f5dda09d978c3.tar.gz gitea-37c3db7be6dd6fc5ee085979cc5f5dda09d978c3.zip |
Add restricted user filter to LDAP authentication (#10600)
* Add restricted user filter to LDAP authentification
* Fix unit test cases
Diffstat (limited to 'modules/auth')
-rw-r--r-- | modules/auth/auth_form.go | 1 | ||||
-rw-r--r-- | modules/auth/ldap/ldap.go | 64 |
2 files changed, 51 insertions, 14 deletions
diff --git a/modules/auth/auth_form.go b/modules/auth/auth_form.go index a30ebb75eb..7fc62607e5 100644 --- a/modules/auth/auth_form.go +++ b/modules/auth/auth_form.go @@ -30,6 +30,7 @@ type AuthenticationForm struct { SearchPageSize int Filter string AdminFilter string + RestrictedFilter string AllowDeactivateAll bool IsActive bool IsSyncEnabled bool diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go index 7f0d2c93f3..66676f2829 100644 --- a/modules/auth/ldap/ldap.go +++ b/modules/auth/ldap/ldap.go @@ -46,6 +46,7 @@ type Source struct { SearchPageSize uint32 // Search with paging page size Filter string // Query filter to validate entry AdminFilter string // Query filter to check if user is admin + RestrictedFilter string // Query filter to check if user is restricted Enabled bool // if this source is disabled AllowDeactivateAll bool // Allow an empty search response to deactivate all users from this source } @@ -58,6 +59,7 @@ type SearchResult struct { Mail string // E-mail address SSHPublicKey []string // SSH Public Key IsAdmin bool // if user is administrator + IsRestricted bool // if user is restricted } func (ls *Source) sanitizedUserQuery(username string) (string, bool) { @@ -153,22 +155,48 @@ func bindUser(l *ldap.Conn, userDN, passwd string) error { } func checkAdmin(l *ldap.Conn, ls *Source, userDN string) bool { - if len(ls.AdminFilter) > 0 { - log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN) - search := ldap.NewSearchRequest( - userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter, - []string{ls.AttributeName}, - nil) + if len(ls.AdminFilter) == 0 { + return false + } + log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN) + search := ldap.NewSearchRequest( + userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter, + []string{ls.AttributeName}, + nil) - sr, err := l.Search(search) + sr, err := l.Search(search) - if err != nil { - log.Error("LDAP Admin Search failed unexpectedly! (%v)", err) - } else if len(sr.Entries) < 1 { - log.Trace("LDAP Admin Search found no matching entries.") - } else { - return true - } + if err != nil { + log.Error("LDAP Admin Search failed unexpectedly! (%v)", err) + } else if len(sr.Entries) < 1 { + log.Trace("LDAP Admin Search found no matching entries.") + } else { + return true + } + return false +} + +func checkRestricted(l *ldap.Conn, ls *Source, userDN string) bool { + if len(ls.RestrictedFilter) == 0 { + return false + } + if ls.RestrictedFilter == "*" { + return true + } + log.Trace("Checking restricted with filter %s and base %s", ls.RestrictedFilter, userDN) + search := ldap.NewSearchRequest( + userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.RestrictedFilter, + []string{ls.AttributeName}, + nil) + + sr, err := l.Search(search) + + if err != nil { + log.Error("LDAP Restrictred Search failed unexpectedly! (%v)", err) + } else if len(sr.Entries) < 1 { + log.Trace("LDAP Restricted Search found no matching entries.") + } else { + return true } return false } @@ -284,6 +312,10 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul sshPublicKey = sr.Entries[0].GetAttributeValues(ls.AttributeSSHPublicKey) } isAdmin := checkAdmin(l, ls, userDN) + var isRestricted bool + if !isAdmin { + isRestricted = checkRestricted(l, ls, userDN) + } if !directBind && ls.AttributesInBind { // binds user (checking password) after looking-up attributes in BindDN context @@ -300,6 +332,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul Mail: mail, SSHPublicKey: sshPublicKey, IsAdmin: isAdmin, + IsRestricted: isRestricted, } } @@ -364,6 +397,9 @@ func (ls *Source) SearchEntries() ([]*SearchResult, error) { Mail: v.GetAttributeValue(ls.AttributeMail), IsAdmin: checkAdmin(l, ls, v.DN), } + if !result[i].IsAdmin { + result[i].IsRestricted = checkRestricted(l, ls, v.DN) + } if isAttributeSSHPublicKeySet { result[i].SSHPublicKey = v.GetAttributeValues(ls.AttributeSSHPublicKey) } |